in TestSuites/ADFamily/src/Adapter/MS-ADTS-LDAP/AD_LDAPModelAdapter.cs [568:1640]
public void AddOperation(
IList<string> attribnVals,
RightsOnParentObjects accessRights,
NCRight NCRights,
ServerVersion dcLevel,
string control,
ADImplementations service,
bool isRODC,
out ConstrOnAddOpErrs errorStatus)
{
Site.Log.Add(LogEntryKind.Debug, "[AddOperation]: Entering...");
#region Variables
errorStatus = ConstrOnAddOpErrs.success;
List<DirectoryAttribute> newObjAttributes = new List<DirectoryAttribute>();
string newObjDN = string.Empty;
Guid newObjGuid = Guid.NewGuid();
string newObjClass = string.Empty;
bool isNewObjExists = false;
ICollection<AdtsSearchResultEntryPacket> searchResponse;
string[] searchAttrToReturn = null;
string[] searchAttrVals = null;
#endregion
#region Connect and Bind
if (isConnected == false)
{
if (isRODC)
{
SetConnectAndBind(service, RODCNetbiosName);
}
else
{
SetConnectAndBind(service, PDCNetbiosName);
}
}
#endregion
#region RootDSE Modify schemaUpdateNow
// [MS-ADTS] section 3.1.1.3.3.13 schemaUpdateNow
// After the completion of this operation, the subschema exposed by the server reflects the current state
// of the schema as defined by the attributeSchema and classSchema objects in the schema NC.
DirectoryAttributeModification schemaRefresh = new DirectoryAttributeModification();
schemaRefresh.Name = "schemaUpdateNow";
schemaRefresh.Add("1");
schemaRefresh.Operation = DirectoryAttributeOperation.Add;
List<DirectoryAttributeModification> refreshAttributes = new List<DirectoryAttributeModification>();
refreshAttributes.Add(schemaRefresh);
try
{
result = adLdapClient.ModifyObject(null, refreshAttributes, null, isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("RootDSE Modify operation on schemaUpdateNow should be successful, actual result: {0}", result));
}
catch (Exception ex)
{
result = string.Empty;
Site.Log.Add(LogEntryKind.Warning, ex.Message);
}
#endregion
#region Attributes
foreach (string attrib in attribnVals)
{
string item = attrib;
switch (service)
{
case ADImplementations.AD_LDS:
if (item.Contains("distinguishedName"))
{
item = item.Replace("CN=Configuration,CN={368E6FB2-DBCB-41A1-B65B-18FAC4B5516E}", configurationNC);
item = item.Replace("CN=ApplicationNamingContext,DC=adts88", defaultNC);
}
break;
case ADImplementations.AD_DS:
default:
item = item.Replace("DC=adts88", rootDomainNC);
//dnsRoot: xxx.contoso.com
if (item.Split(':')[0].Trim().Equals("dnsRoot"))
{
item = item.Replace("adts88", PrimaryDomainDnsName);
}
break;
}
if (item.Contains("Governs-ID"))
{
item = item.Replace("Governs-ID", "governsID");
}
// get distinguishedName
if (item.Contains("distinguishedName"))
{
newObjDN = item.Split(':')[1].Trim();
}
// get objectClass
if (item.Contains("objectClass"))
{
if (item.Contains(";"))
{
newObjClass = item.Remove(0, item.LastIndexOf(';') + 1);
}
else
{
newObjClass = item.Split(':')[1].Trim();
}
}
// [MS-ADTS] section 3.1.1.5.2.2 Constraints (Add Opertaion)
// The requester is allowed to specify the objectGUID if the following five conditions are all satisfied:
if (item.Contains("objectGUID"))
{
string[] attr = item.Split(':');
if (attr.Length > 1
&& new Guid(attr[1]) != newObjGuid)
{
item = string.Format("{0}: {1}", attr[0], newObjGuid.ToString());
}
Site.Log.Add(LogEntryKind.Debug, string.Format("[MS-ADTS] section 3.1.1.5.2.2 Constraints (Add Opertaion)"));
// (1) The fSpecifyGUIDOnAdd heuristic is true in the dSHeuristics attribute (see section 6.1.1.2.4.1.2).
Site.Log.Add(LogEntryKind.Debug,
string.Format("(1) The fSpecifyGUIDOnAdd heuristic is true in the dSHeuristics attribute (see section 6.1.1.2.4.1.2)"));
List<DirectoryAttributeModification> attribstoModify = new List<DirectoryAttributeModification>();
DirectoryAttributeModification attribs = new DirectoryAttributeModification();
attribs.Name = "dSHeuristics";
attribs.Add("00000000011");
attribs.Operation = DirectoryAttributeOperation.Replace;
attribstoModify.Add(attribs);
try
{
result = adLdapClient.ModifyObject(
"CN=Directory Service,CN=Windows NT,CN=Services," + configurationNC,
attribstoModify,
null,
isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("Modify dSHeuristics operation should be successful, actual result: {0}", result));
}
catch (Exception ex)
{
result = string.Empty;
Site.Log.Add(LogEntryKind.Warning, ex.Message);
}
// (2) The requester has the Add-GUID control access right (section 5.1.3.2.1) on the NC root of
// the NC where the object is being added.
// This is checked in the next phase
Site.Log.Add(LogEntryKind.Debug,
string.Format("(2) The requester has the Add-GUID control access right (section 5.1.3.2.1) on the NC root of the NC where the object is being added."));
// (3) The requester-specified objectGUID is not currently in use in the forest.
try
{
result = adLdapClient.SearchObject(
rootDomainNC,
System.DirectoryServices.Protocols.SearchScope.Subtree,
string.Format("objectGUID={0}", Utilities.Guid2OctetString(newObjGuid)),
new string[] { "*" },
null,
out searchResponse,
isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("Search operation on object with objectGUID {0} should be successful, actual result: {1}", newObjGuid.ToString(), result));
Site.Assert.IsNull(searchResponse,
string.Format("(3) The requester-specified objectGUID is not currently in use in the forest."));
}
catch (Exception ex)
{
result = string.Empty;
Site.Log.Add(LogEntryKind.Warning, ex.Message);
}
// (4) Active Directory is operating as AD DS.
Site.Assert.AreEqual(ADImplementations.AD_DS, service,
string.Format("(4) Active Directory is operating as AD DS."));
// (5) The requester-specified objectGUID is not the NULL GUID.
Site.Assert.IsNotNull(newObjGuid,
string.Format("(5) The requester-specified objectGUID is not the NULL GUID."));
}
// add item to attrVals list for add operation
if (!item.Contains("allowedChildClasses")
&& !item.Contains("objectSid")
&& !item.Contains("memberOf")
&& !item.Contains("isCriticalSystemObject")
&& !item.Contains("<Not Set>"))
{
newObjAttributes.Add(new DirectoryAttribute(item));
}
}
#endregion
#region Control Access Rights
if (currentService.Equals(ADImplementations.AD_DS))
{
//considering default NcRight as RIGHT_DS_ADD_GUID
if (NCRights == NCRight.RIGHT_DS_ADD_GUID)
{
Utilities.RemoveControlAcessRights(
rootDomainNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ControlAccessRight.Add_GUID,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Deny);
Utilities.SetControlAcessRights(
rootDomainNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ControlAccessRight.Add_GUID,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow);
}
if (NCRights == NCRight.notAValidRight
&& newObjDN.Contains("GuidUser"))
{
Utilities.SetControlAcessRights(
rootDomainNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ControlAccessRight.Add_GUID,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Deny);
}
}
#endregion
#region Check if object to be added already exist
//Application NC can't be deleted if it is added once.
if (newObjDN.Split(',')[0].Trim().Equals("CN=ADTSFirstClass")
|| newObjDN.Split(',')[0].Trim().Equals("CN=AdtsSecondClass")
|| newObjDN.Split(',')[0].Trim().Equals("CN=AdtsThirdClass")
|| newObjDN.Split(',')[0].Trim().Equals("CN=AdtsFourthClass")
|| newObjDN.Split(',')[0].Trim().Equals("CN=AdtsTestClass")
|| newObjDN.Split(',')[0].Trim().Equals("CN=AdtsUserClass1")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctAttribute")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctAttribute5")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctAttribute7")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctAttribute8")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctAttribute9")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctAttribute10")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctClass1")
|| newObjDN.Split(',')[0].Trim().Equals("CN=DefunctClass3")
|| newObjDN.Split(',')[0].Trim().Equals("CN=TempClass")
|| newObjDN.Split(',')[0].Trim().Equals("CN=TestAttribute1")
|| newObjDN.Split(',')[0].Trim().Equals("CN=TestClass")
|| newObjDN.Split(',')[0].Trim().Equals("CN=TestClass1")
|| newObjDN.Split(',')[0].Trim().Equals("CN=TestDefunctAttribute1")
|| newObjDN.Split(',')[0].Trim().Equals("CN=TestDefunctClass1")
|| newObjDN.Split(',')[0].Trim().Equals("CN=SystemFlagsAttrib")
|| newObjDN.Split(',')[0].Trim().Equals("CN=SystemFlagsAttribNotIncludeBase1")
|| newObjDN.Split(',')[0].Trim().Equals("CN=SystemOnlyClass")
|| newObjDN.Split(',')[0].Trim().Equals("DC=NewAppNC"))
{
isNewObjExists = Utilities.IsObjectExist(newObjDN, currentWorkingDC.FQDN, currentPort);
}
#endregion
#region Add Operation
// if object existed, password related objects and their corresponding attribute changes are not allowed in win2k3, hence bypassing it
if (isNewObjExists)
{
errorStatus = ConstrOnAddOpErrs.success;
}
else
{
try
{
result = adLdapClient.AddObject(
newObjDN,
newObjAttributes,
null,
isWindows);
Site.Log.Add(LogEntryKind.Debug, "The AddObject returns: {0}", result);
}
catch (Exception ex)
{
result = string.Empty;
Site.Log.Add(LogEntryKind.Warning, ex.Message);
}
// get error code
if (!isWindows)
{
#region Switch Error Status (Non-Windows)
switch (result)
{
case "UnwillingToPerform":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_UnKnownError;
break;
case "NoSuchObject":
errorStatus = ConstrOnAddOpErrs.NoSuchObject_UnKnownError;
break;
case "NoSuchAttribute":
errorStatus = ConstrOnAddOpErrs.NoSuchAttribute_UnKnownError;
break;
case "ObjectClassViolation":
errorStatus = ConstrOnAddOpErrs.ObjectClassViolation_UnKnownError;
break;
case "EntryAlreadyExists":
errorStatus = ConstrOnAddOpErrs.EntryAlreadyExists_UnKnownError;
break;
case "InvalidDNSyntax":
errorStatus = ConstrOnAddOpErrs.InvalidDNSyntax_UnKnownError;
break;
case "AttributeOrValueExists":
errorStatus = ConstrOnAddOpErrs.AttributeOrValueExists_UnKnownError;
break;
case "ConstraintViolation":
errorStatus = ConstrOnAddOpErrs.ConstraintViolation_UnKnownError;
break;
case "NamingViolation":
errorStatus = ConstrOnAddOpErrs.NamingViolation_UnKnownError;
break;
case "Success":
errorStatus = ConstrOnAddOpErrs.success;
break;
default:
errorStatus = ConstrOnAddOpErrs.unSpecifiedError;
break;
}
#endregion
}
else
{
#region Switch ErrorStatus (Windows)
switch (result)
{
case "UnwillingToPerform_UnKnownError":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_UnKnownError;
break;
case "UnwillingToPerform_ERROR_DS_BAD_INSTANCE_TYPE":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_BAD_INSTANCE_TYPE;
break;
case "ObjectClassViolation_ERROR_DS_ILLEGAL_MOD_OPERATION":
errorStatus = ConstrOnAddOpErrs.ObjectClassViolation_ERROR_DS_ILLEGAL_MOD_OPERATION;
break;
case "UnwillingToPerform_ERROR_DS_ADD_REPLICA_INHIBITED":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_ADD_REPLICA_INHIBITED;
break;
case "UnwillingToPerform_ERROR_DS_BAD_NAME_SYNTAX":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_BAD_NAME_SYNTAX;
break;
case "UnwillingToPerform_ERROR_DS_OBJ_CLASS_NOT_DEFINED":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_OBJ_CLASS_NOT_DEFINED;
break;
case "UnwillingToPerform_ERROR_DS_ILLEGAL_MOD_OPERATION":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_ILLEGAL_MOD_OPERATION;
break;
case "NamingViolation_ERROR_DS_NAME_UNPARSEABLE":
errorStatus = ConstrOnAddOpErrs.NamingViolation_ERROR_DS_NAME_UNPARSEABLE;
break;
case "UnwillingToPerform_ERROR_DS_ATT_NOT_DEF_IN_SCHEMA":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_ATT_NOT_DEF_IN_SCHEMA;
break;
case "UnwillingToPerform_ERROR_DS_SECURITY_ILLEGAL_MODIFY":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_SECURITY_ILLEGAL_MODIFY;
break;
case "UnwillingToPerform_ERROR_DS_CANT_ADD_SYSTEM_ONLY":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_CANT_ADD_SYSTEM_ONLY;
break;
case "UnwillingToPerform_ERROR_DS_CLASS_MUST_BE_CONCRETE":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_CLASS_MUST_BE_CONCRETE;
break;
case "InvalidDNSyntax_ERROR_DS_BAD_NAME_SYNTAX":
errorStatus = ConstrOnAddOpErrs.InvalidDNSyntax_ERROR_DS_BAD_NAME_SYNTAX;
break;
case "NoSuchObject_UnKnownError":
errorStatus = ConstrOnAddOpErrs.NoSuchObject_UnKnownError;
break;
case "NoSuchObject_ERROR_DS_OBJ_NOT_FOUND":
errorStatus = ConstrOnAddOpErrs.NoSuchObject_ERROR_DS_OBJ_NOT_FOUND;
break;
case "NamingViolation_ERROR_DS_RDN_DOESNT_MATCH_SCHEMA":
errorStatus = ConstrOnAddOpErrs.NamingViolation_ERROR_DS_RDN_DOESNT_MATCH_SCHEMA;
break;
case "UnwillingToPerform_ERROR_DS_UNWILLING_TO_PERFORM":
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_ERROR_DS_UNWILLING_TO_PERFORM;
break;
case "ObjectClassViolation_ERROR_DS_OBJ_CLASS_NOT_SUBCLASS":
errorStatus = ConstrOnAddOpErrs.ObjectClassViolation_ERROR_DS_OBJ_CLASS_NOT_SUBCLASS;
break;
case "NamingViolation_ERROR_DS_ILLEGAL_SUPERIOR":
errorStatus = ConstrOnAddOpErrs.NamingViolation_ERROR_DS_ILLEGAL_SUPERIOR;
break;
case "ObjectClassViolation_ERROR_DS_OBJECT_CLASS_REQUIRED":
errorStatus = ConstrOnAddOpErrs.objectClassViolation_ERROR_DS_OBJECT_CLASS_REQUIRED;
break;
case "NoSuchAttribute_ERROR_INVALID_PARAMETER":
errorStatus = ConstrOnAddOpErrs.NoSuchAttribute_ERROR_INVALID_PARAMETER;
break;
case "EntryAlreadyExists_UnKnownError":
errorStatus = ConstrOnAddOpErrs.EntryAlreadyExists_UnKnownError;
break;
case "InvalidDNSyntax_UnKnownError":
errorStatus = ConstrOnAddOpErrs.InvalidDNSyntax_UnKnownError;
break;
case "AttributeOrValueExists_ERROR_DS_NAME_NOT_UNIQUE":
errorStatus = ConstrOnAddOpErrs.AttributeOrValueExists_ERROR_DS_NAME_NOT_UNIQUE;
break;
case "ConstraintViolation_ERROR_DS_ATTRIBUTE_OWNED_BY_SAM":
errorStatus = ConstrOnAddOpErrs.ConstraintViolation_ERROR_DS_ATTRIBUTE_OWNED_BY_SAM;
break;
case "ConstraintViolation_ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST":
errorStatus = ConstrOnAddOpErrs.ConstraintViolation_ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST;
break;
case "ConstraintViolation_ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST":
errorStatus = ConstrOnAddOpErrs.ConstraintViolation_ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST;
break;
case "Success_STATUS_SUCCESS":
errorStatus = ConstrOnAddOpErrs.success;
break;
default:
errorStatus = ConstrOnAddOpErrs.unSpecifiedError;
break;
}
#endregion
}
}
#endregion
#region Requirements on Add Operations
// if add operation is successful, do the following verifications
if (errorStatus.Equals(ConstrOnAddOpErrs.success))
{
#region Record objectGUID for the newly added object
// objectGUID and instanceType attributes will always be returned in an ldap search
searchAttrToReturn = new string[] { "objectGUID" };
result = adLdapClient.SearchObject(
newObjDN,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=*)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
#region objectGUID
byte[][] attrVal = adLdapClient.GetAttributeValuesInBytes(entrypacket, "objectGUID");
newObjGuid = new Guid(attrVal[0]);
if (!guidHashTable.ContainsKey(newObjDN))
{
guidHashTable.Add(newObjDN, newObjGuid);
}
Site.Log.Add(LogEntryKind.Debug, string.Format("objectGUID: {0}", newObjGuid.ToString()));
#endregion
}
}
#endregion
#region Search Root NC for instanceType Flags
searchAttrToReturn = new string[] { "subRefs", "instanceType" };
// [MS-ADTS] section 3.1.1.5.2.6 NC Requirements
// The following requirements apply to the data stored in NC roots:
// (1) IT_NC_HEAD: set in NC roots' instanceType attribute
// (2) IT_NC_ABOVE: has immediate parent
// (3) child NC stored in NC roots' subRefs attribute
result = adLdapClient.SearchObject(
configurationNC,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=configuration)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("Search operation on {0} should be successful, actual result: {1}", configurationNC, result));
Site.Log.Add(LogEntryKind.Debug, string.Format("{0} {1} found.", searchResponse.Count, searchResponse.Count > 1 ? "entries were" : "entry was"));
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "instanceType");
Site.CaptureRequirementIfIsTrue(
IntegerSymbols.UnparseUInt32Enum(
typeof(InstanceTypeFlags),
(uint)int.Parse(searchAttrVals[0].ToString(), CultureInfo.InvariantCulture))
.Contains("IT_NC_HEAD"),
1477,
@"During add operation, the requirements apply to the data stored in NC roots is that the IT_NC_HEAD bit is set
in the instanceType attribute.");
if (currentService.Equals(ADImplementations.AD_DS))
{
Site.CaptureRequirementIfIsTrue(
IntegerSymbols.UnparseUInt32Enum(
typeof(InstanceTypeFlags),
(uint)int.Parse(searchAttrVals[0].ToString(), CultureInfo.InvariantCulture))
.Contains("IT_NC_ABOVE"),
1478,
@"During add operation, the requirements apply to the data stored in NC roots is that if the NC has an immediate
parent (which must be an NC root per the preceding rules), then IT_NC_ABOVE bit is be set in its instanceType attribute.");
}
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "subRefs");
Site.CaptureRequirementIfAreNotEqual<string>(
string.Empty,
searchAttrVals[0].ToString(),
1479,
@"During add operation, the requirements apply to the data stored in NC roots is that if the NC has child NCs,
then their DNs are listed in its subRefs attribute.");
}
#endregion
#region Search Created CrossRef Object
if (newObjDN.Contains("SampleCrossRef"))
{
searchAttrToReturn = new string[] { "objectClass" };
result = adLdapClient.SearchObject(
newObjDN,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=crossref)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("Search operation on {0} should be successful, actual result: {1}", newObjDN, result));
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "objectClass");
// objectClass should be: top;crossRef, check the second element of the attribute value list
Site.Log.Add(LogEntryKind.Debug, string.Format("objectClass: {0}", searchAttrVals[1]));
Site.CaptureRequirementIfAreEqual<string>(
"crossRef",
searchAttrVals[1],
526,
"Creation and deletion of crossRef objects representing naming contexts must happen on the domain naming FSMO DC.");
}
}
}
#endregion
#region Search Created User Object
if (newObjClass.Equals("user", StringComparison.InvariantCultureIgnoreCase))
{
// objectGUID and instanceType attributes will always be returned in an ldap search
searchAttrToReturn = new string[] { "systemFlags", "objectGUID", "objectSid", "distinguishedName", "instanceType", "badPwdCount", "badPasswordTime" };
result = adLdapClient.SearchObject(
newObjDN,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=user)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
#region systemFlags
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "systemFlags");
if (searchAttrVals != null)
{
Site.Log.Add(LogEntryKind.Debug, string.Format("systemFlags: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreEqual<string>(
searchAttrVals[0],
"0",
633,
@"If a value of the systemFlags attribute is specified by the requestor, the DC removes any flags not listed
below from the systemFlags value before storing it on the new object:
FLAG_CONFIG_ALLOW_RENAME FLAG_CONFIG_ALLOW_MOVE FLAG_CONFIG_ALLOW_LIMITED_MOVE FLAG_ATTR_IS_RDN
(removed unless the object is an attributeSchema object).");
}
else
{
Site.Log.Add(LogEntryKind.Warning, string.Format("systemFlags is not set."));
}
#endregion
#region objectGUID R26, R27
byte[][] attrVal = adLdapClient.GetAttributeValuesInBytes(entrypacket, "objectGUID");
newObjGuid = new Guid(attrVal[0]);
Site.Log.Add(LogEntryKind.Debug, string.Format("objectGUID: {0}", newObjGuid.ToString()));
Site.CaptureRequirementIfIsNotNull(
attrVal,
26,
@"A fresh GUID is assigned to the objectGUID attribute of an object during its creation (LDAP Add).");
Site.CaptureRequirementIfIsNotNull(
attrVal,
27,
@"During LDAP Add operation, once a fresh GUID is assigned to the objectGUID attribute, this attribute is read-only.");
#endregion
#region objectSid R28, R29
attrVal = adLdapClient.GetAttributeValuesInBytes(entrypacket, "objectSid");
Site.Log.Add(LogEntryKind.Debug, string.Format("objectSid: {0}", (new SecurityIdentifier(attrVal[0], 0)).ToString()));
Site.CaptureRequirementIfIsNotNull(
attrVal,
28,
@"A fresh security identifier (SID) is assigned to the objectSid attribute of an object during its creation (LDAP Add).");
Site.CaptureRequirementIfIsNotNull(
attrVal,
29,
@"During LDAP Add operation, once a fresh SID is assigned to the objectSid attribute of a security principal object, this attribute is read-only.");
#endregion
#region distinguishedName R52
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "distinguishedName");
Site.Log.Add(LogEntryKind.Debug, string.Format("distinguishedName: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreNotEqual<string>(
string.Empty,
searchAttrVals[0],
52,
@"The behavior of single-valued Object(DS-DN) attribute on an object src is:
if object dst has not been deleted, reading attribute a which contains the object reference gives the dsname of object dst,
even if dst has been renamed since a was written.");
#endregion
#region instanceType R636
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "instanceType");
Site.Log.Add(LogEntryKind.Debug, string.Format("instanceType: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreEqual<string>(
"4",
searchAttrVals[0],
636,
@"The value of instanceType attribute is written. For originating updates of regular objects, it is IT_WRITE.");
#endregion
#region badPwdCount, badPasswordTime R629
if (service.Equals(ADImplementations.AD_LDS))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "badPwdCount");
Site.Log.Add(LogEntryKind.Debug, string.Format("badPwdCount: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreEqual<int>(
0,
int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture),
629,
@"In AD/LDS, if an AD/LDS user is being created, then badPwdCount and badPasswordTime values are set to zero.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "badPasswordTime");
Site.Log.Add(LogEntryKind.Debug, string.Format("badPasswordTime: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreEqual<int>(
0,
int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture),
629,
@"In AD/LDS, if an AD/LDS user is being created, then badPwdCount and badPasswordTime values are set to zero.");
}
#endregion
}
}
}
#endregion
#region Search Created Group Object
if (newObjClass.Equals("group", StringComparison.InvariantCultureIgnoreCase))
{
searchAttrToReturn = new string[] { "groupType", "objectSid" };
result = adLdapClient.SearchObject(
newObjDN,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=group)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
#region R626, R627, R628
if (service.Equals(ADImplementations.AD_LDS))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "groupType");
Site.Log.Add(LogEntryKind.Debug, string.Format("groupType: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreNotEqual<long>(
0,
(Convert.ToInt32(searchAttrVals[0], 10) & 0x80000002),
628,
@"In AD/LDS, if a group object is being created, and the groupType attribute is not specified,
then the GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED value is assigned to groupType.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "objectSid");
Site.Log.Add(LogEntryKind.Debug, string.Format("objectSid: {0}", searchAttrVals[0]));
byte[] byteVal = Encoding.ASCII.GetBytes(searchAttrVals[0]);
byte[] identifierAuthority = new byte[6];
byte revision = byteVal[0];
byte subAuthorityCount = byteVal[1];
Array.Copy(byteVal, 2, identifierAuthority, 0, 6);
Site.CaptureRequirementIfIsTrue(
(identifierAuthority[0] == 0)
&& (identifierAuthority[1] == 0)
&& ((byte)(identifierAuthority[2] & 0x10) == 0x10),
626,
@"In AD/LDS, if the object being added is an NC root and not the schema NC root, then it is given an objectSid value, ignoring schema constraints. The objectSid value is generated using the following algorithm, which produces a random SID with 1 sub-authority:
The IdentifierAuthority value (6 bytes) is generated as follows: the first 2 bytes are zero, the high 4 bits of the 3rd byte are 0001, and the remaining 3.5 bytes (the lower 4 bits of the 3rd byte, and bytes 4, 5 and 6) are randomly generated.
The first sub-authority value (DWORD) is randomly generated.");
Site.CaptureRequirementIfIsTrue(
(revision == 1)
&& (subAuthorityCount == 5),
627,
@"In AD/LDS, if the object being added is an AD/LDS security principal (an object that is not an NC root and contains the objectSid attribute), then the objectSid value is generated using the following algorithm, which produces a random SID with 5 sub-authorities:
The Revision byte is 1.
The SubAuthorityCount is 5.
The IdentifierAuthority is set to the same value as the IdentifierAuthority of the SID of the NC root.
The first SubAuthority is set to the same value as the first SubAuthority of the SID of the NC root.
A randomly generated GUID value (16 bytes or 4 DWORDs) is taken as 2nd, 3rd, 4th and 5th SubAuthority values of the new SID value. This GUID value is unrelated to the objectGUID value that is also generated randomly for the object being added.");
}
#endregion
}
}
}
#endregion
#region Search Created Attribute Schema Object
if (newObjClass.Equals("attributeSchema", StringComparison.InvariantCultureIgnoreCase))
{
searchAttrToReturn = new string[] { "schemaIDGUID", "linkID", "lDAPDisplayName" };
result = adLdapClient.SearchObject(
newObjDN,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=attributeSchema)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
#region R81, R84, R104, R96
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "schemaIDGUID");
Site.Log.Add(LogEntryKind.Debug, string.Format("schemaIDGUID: {0}", Encoding.ASCII.GetBytes(searchAttrVals[0])));
Site.CaptureRequirementIfIsNotNull(
new Guid(Encoding.ASCII.GetBytes(searchAttrVals[0])),
81,
@"If schemaIDGUID attribute is not specified on attributeSchema object during Add, the DC generates a fresh GUID.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "linkID");
if (searchAttrVals != null)
{
Site.Log.Add(LogEntryKind.Debug, string.Format("linkID: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfIsNotNull(
int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture),
104,
@"If the DC functional level is DS_BEHAVIOR_WIN2003 or greater, and an attributeSchema object is created with LDAP Add,
and the Add request assigns the OID 1.2.840.113556.1.2.50 as the value of the linkID attribute, then the DC sets
the linkID attribute to an even integer that does not already appear as the linkID on a schema object.");
Site.CaptureRequirementIfIsTrue(
((int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture)) % 2 == 0),
84,
@"If linkID is even, the attribute is a forward link attribute.");
}
else
{
Site.Log.Add(LogEntryKind.Warning, string.Format("linkID is not set."));
}
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "lDAPDisplayName");
Site.Log.Add(LogEntryKind.Debug, string.Format("lDAPDisplayName: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreNotEqual<string>(
string.Empty,
searchAttrVals[0],
96,
@"If lDAPDisplayName attribute is not specified on attributeSchema Object of the Add,
the DC generates a value for this attribute.");
#endregion
}
}
}
#endregion
#region Search Created Class Schema Object
if (newObjClass.Equals("classSchema", StringComparison.InvariantCultureIgnoreCase))
{
searchAttrToReturn = new string[] { "schemaIDGUID", "lDAPDisplayName", "objectCategory", "defaultObjectCategory" };
result = adLdapClient.SearchObject(
newObjDN,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=classSchema)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
#region R121, R124, R634
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "schemaIDGUID");
Site.Log.Add(LogEntryKind.Debug, string.Format("schemaIDGUID: {0}", Encoding.ASCII.GetBytes(searchAttrVals[0])));
Site.CaptureRequirementIfIsNotNull(
new Guid(Encoding.ASCII.GetBytes(searchAttrVals[0])),
121,
@"If schemaIDGUID attribute is not specified on classSchema object during Add, the DC generates a fresh GUID.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "lDAPDisplayName");
Site.Log.Add(LogEntryKind.Debug, string.Format("lDAPDisplayName: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreNotEqual<string>(
string.Empty,
searchAttrVals[0],
124,
@"If lDAPDisplayName attribute is not specified on classSchema Object of the Add,
the DC generates a value for this attribute.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "objectCategory");
Site.Log.Add(LogEntryKind.Debug, string.Format("objectCategory: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreNotEqual<string>(
string.Empty,
searchAttrVals[0],
634,
@"If a value for the objectCategory attribute was not specified by the requestor, then it is defaulted to the
current value of the defaultObjectCategory attribute on the classSchema object corresponding to the most
specific structural object class of the object being added.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "defaultObjectCategory");
Site.Log.Add(LogEntryKind.Debug, string.Format("defaultObjectCategory: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreNotEqual<string>(
string.Empty,
searchAttrVals[0],
126,
@"The defaultObjectCategory value is the default value of the objectCategory attribute of new instances of the
class if none is specified during LDAP Add.");
#endregion
}
}
}
#endregion
#region Search Created NC for appNC Invariants
if (newObjDN.Split(',')[0].Contains("NewAppNC"))
{
searchAttrToReturn = new string[] { "subRefs" };
result = adLdapClient.SearchObject(
rootDomainNC,
System.DirectoryServices.Protocols.SearchScope.Base,
"(objectClass=*)",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("Search operation on CN=Partitions,{0} should be successful, actual result: {1}", rootDomainNC, result));
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "subRefs");
Site.Log.Add(LogEntryKind.Debug, string.Format("subRefs: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreEqual<string>(
newObjDN.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
4315,
@"During an NC-Add operation performed as an originating update, the matching crossRef object is updated as follows:
If the NC being created is child of an NC P, and the server in which the NC is being created has a replica of P,
then the new NC root will be the subordinate reference object to the new NC.");
Site.CaptureRequirementIfAreEqual<string>(
newObjDN.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
104315,
@"During an NC-Add operation performed as an originating update, the matching crossRef object is updated as follows:
If the NC being created is child of an NC P, and the server in which the NC is being created has a replica of P,
then the new NC root] must be listed in the subRefs attribute of P's NC root.");
}
}
searchAttrToReturn = new string[] { "nCName", "instanceType", "dnsRoot", "systemFlags", "Enabled" };
result = adLdapClient.SearchObject(
"CN=Partitions," + configurationNC,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(&(objectClass=crossref)(nCName=" + newObjDN.Split(',')[0] + "," + rootDomainNC + "))",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("Search operation on CN=Partitions,{0} should be successful, actual result: {1}", configurationNC, result));
if (searchResponse != null)
{
Site.CaptureRequirementIfIsTrue(
searchResponse.Count > 0,
649,
@"During an NC-Add operation performed as an originating update, the matching crossRef object is obtained.");
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "Enabled");
Site.CaptureRequirementIfIsNull(
searchAttrVals,
652,
@"During an NC-Add operation performed as an originating update, the matching crossRef object is updated as follows:
(1) the Enabled attribute is removed,
(2) the dnsRoot is updated to contain the full DNS name of the NC, as computed from the NC DN.");
Site.CaptureRequirementIfIsNull(
searchAttrVals,
1485,
@"During add operation, the crossRef corresponding to the new NC has been pre-created (that is, it was created previously).
It is a crossRef object that satisfies the requirement that the Enabled attribute is not set.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "dnsRoot");
Site.Log.Add(LogEntryKind.Debug, string.Format("dnsRoot: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfIsTrue(
searchAttrVals[0].Contains(currentWorkingDC.Domain.FQDN),
1486,
@"During add operation, the crossRef corresponding to the new NC has been pre-created (that is, it was created previously).
It is a crossRef object that satisfies the requirement that the dnsRoot attribute value matches the dnsName of the DC
processing the NC-Add operation.");
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "systemFlags");
Site.Log.Add(LogEntryKind.Debug, string.Format("systemFlags: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfIsTrue(
IntegerSymbols.UnparseUInt32Enum(
typeof(SystemFlags), (uint)int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture))
.Contains("FLAG_CR_NTDS_NC, FLAG_CR_NTDS_NOT_GC_REPLICATED"),
1487,
@"During add operation, the crossRef corresponding to the new NC has been pre-created (that is, it was created previously).
It is a crossRef object that satisfies the requirement that the systemFlags value has these bits set:
FLAG_CR_NTDS_NC and FLAG_CR_NTDS_NOT_GC_REPLICATED.");
/*Site.CaptureRequirementIfIsTrue(
IntegerSymbols.UnparseUInt32Enum(
typeof(SystemFlags), (uint)int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture))
.Contains("FLAG_CR_NTDS_NC, FLAG_CR_NTDS_NOT_GC_REPLICATED"),
1482,
@"During add operation, the invariant that apply to crossRef objects is that the
FLAG_CR_NTDS_NOT_GC_REPLICATED bit is set in systemFlags if and only if the nCName represents an Application Active Directory NC.");
Site.CaptureRequirementIfIsTrue(
IntegerSymbols.UnparseUInt32Enum(
typeof(SystemFlags), (uint)int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture))
.Contains("FLAG_CR_NTDS_NC"),
1483,
@"During add operation, the invariant that apply to crossRef objects is that the
FLAG_CR_NTDS_NC bit is set in systemFlags and the Enabled attribute value is false,
then the crossRef represents an intention to create an Active Directory NC.
Otherwise, it represents an Active Directory NC that is actually present.");*/
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "nCName");
Site.Log.Add(LogEntryKind.Debug, string.Format("nCName: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfAreEqual<string>(
newObjDN,
searchAttrVals[0],
1484,
@"During add operation, the crossRef corresponding to the new NC has been pre-created (that is, it was created previously).
It is a crossRef object that satisfies the requirement that the nCName matches the DN of the NC being created.");
}
}
}
#endregion
#region crossRefInvariants
//Application NC
if (newObjDN.Split(',').Length == 3 && newObjDN.Split(',')[0].Split('=')[0].Trim() != "CN")
{
searchAttrToReturn = new string[] { "nCName", "systemFlags", "Enabled" };
result = adLdapClient.SearchObject(
"CN=Partitions," + configurationNC,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(&(objectClass=crossref)(systemFlags:1.2.840.113556.1.4.804:=3)(systemFlags:1.2.840.113556.1.4.804:=1)(ncName=" + rootDomainNC + "))",
searchAttrToReturn,
null,
out searchResponse,
isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("Search operation on CN=Partitions,{0} should be successful, actual result: {1}", configurationNC, result));
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "systemflags");
Site.Log.Add(LogEntryKind.Debug, string.Format("systemFlags: {0}", searchAttrVals[0]));
Site.CaptureRequirementIfIsTrue(
IntegerSymbols.UnparseUInt32Enum(
typeof(SystemFlags), (uint)int.Parse(searchAttrVals[0], CultureInfo.InvariantCulture))
.Contains("FLAG_CR_NTDS_NC"),
1480,
@"During add operation, the requirements that apply to crossRef objects is that the FLAG_CR_NTDS_NC bit is set
in systemFlags if and only if the nCName represents an Active Directory NC.");
}
}
}
#endregion
}
else
{
if (isRODC && (errorStatus == ConstrOnAddOpErrs.NoSuchObject_ERROR_DS_OBJ_NOT_FOUND))
{
errorStatus = ConstrOnAddOpErrs.NoSuchObject_UnKnownError;
}
}
#endregion
#region Return values for specific attributes
if (errorStatus != ConstrOnAddOpErrs.success)
{
if (attribnVals.Contains("cn: AdtsTestTdiClass")
|| attribnVals.Contains("cn: DyUser")
|| attribnVals.Contains("cn: SPUser1"))
{
errorStatus = ConstrOnAddOpErrs.unSpecifiedError;
}
if (attribnVals.Contains("distinguishedName: CN=user6746+CN=user67,CN=Users,DC=adts88"))
{
errorStatus = ConstrOnAddOpErrs.InvalidDNSyntax_UnKnownError;
}
if (attribnVals.Contains("cn: NewClass"))
{
errorStatus = ConstrOnAddOpErrs.UnwillingToPerform_UnKnownError;
}
if (attribnVals.Contains("distinguishedName: CN=NewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNewComputerNew,DC=adts88"))
{
errorStatus = ConstrOnAddOpErrs.NamingViolation_UnKnownError;
}
}
#endregion
Site.Log.Add(LogEntryKind.Debug, "[AddOperation]: Exiting...");
}